RUCKUS Access Point Device Certificate Refresh or replacement procedure for all platforms
Summary
This is the master article for all RUCKUS AP device certificate replacement related procedure and resolutionQuestion
RUCKUS Controller is showing AP Certificate is expired, what is the impact and how do I fix it?Customer Environment
Any RUCKUS AP running on ZD 9.9 and later version, or SZ software versions 3.1.2 / 3.2.1 or later, or in standalone version, and manufacturing date is November 2016 or before.Root Cause
Old official issuer (CA) certificate of RUCKUS was expired in November 2016, device certificates on RUCKUS APs are not expiring. Due to this, if any AP which has old certificate, it will not connect to SmartZone and Cloud where AP certificate validation enabled on controller. This is by default enabled on RUCKUS Cloud and cannot be disabled.Symptoms
What are the symptoms and impact if AP device certificate is expired (old issuer) or invalid?You will observe below behavior.
For SmartZone APs
- AP will not be able to join SmartZone and in logs you will see device (AP) certificate check failure.
- If you disable the AP cert check on SmartZone, then AP will join but SZ will show you AP certificate expiry alert on the dashboard.
For Ruckus Cloud
- AP will not join RUCKUS Cloud, as AP certificate check is mandatory.
- AP connection to ZD will not be impacted as ZD uses HTTP by default for the communication, but system will show AP certificate expiry alerts.
- Not applicable
Troubleshooting Steps
SSH into the AP and check the device certificate issuer name and validity.Command: get rpki-cert issuer
Below are the example of good vs bad certificates
Updated/New cert output:
rkscli: get rpki-cert issuer
Issuer: RuckusPKI-DeviceSubCA-2
OK
Old cert output:
rkscli: get rpki-cert issuer
Issuer: Ruckus Wireless, Inc.
OK
Note: As long as out of the above commands includes the value "RuckusPKI" you have a valid AP certificate.
Workaround
For SmartZone APs:- Disable AP certificate validation check on SmartZone (not recommended due to security reasons).
SmartZone(config)# no ap-cert-check >>>> To Disable AP certificate validation
Do you want to continue to disable (or input 'no' to cancel)? [yes/no] yes
Successful operation
% This configuration will take effective in a few minutes.
SmartZone(config)# ap-cert-check >>>> To Enable AP certificate validation
For RUCKUS Cloud:
- No workaround. Certificate check/validation cannot be disable on RUCKUS Cloud.
- N/A
- N/A
Resolution
Prerequisite: If you are handling certificate(s) for the AP(s) which is/are managed by a RUCKUS controller, make sure AP(s) is/are online on controller when you create the AP certificate request file or restoring the AP certificate resolution file.
Its a 3 step procedure:
Step1: Generate/download the certificate request (.req) file from your Controller/AP.
Step2: Contact RUCKUS support with the certificate request file (.req)
Step3: Support will provide you the certificate resolution file, which you need to upload to the controller/AP.
Below are the steps to for all RUCKUS management platforms to generate the certificate replacement file, and upload the resolution file.
For SmartZone managed APs:
3.4.x
1-2. Login to SZ Web UI >> Administration >> AP Certificate Replacement
3-5. Check if there are any APs with Update Pending Update failed status >> Select the AP(s) from the list of pending cert update APs >> Export the request file (.req)
6. Open a case with Support and provide the .req file, they will process it and provide you the .res file.
7-9. Click on "Import AP certificate response (.rs) file" >> Brows the .res file and hit apply.
10. You can review the cert upload status under "Certificate Status".
Note: Ignore the Strikethrough text in the above screenshot, it is no longer applicable.
3.5.x, 3.6.x, 5.x and above
- Only AP Certificate replacement page location is changed, rest of the steps are same as 3.4.x.
- Page is now located under System >> Certificates >> AP Certificate Replacement
Note: Ignore the Strikethrough text in the above screenshot, it is no longer applicable.
6.x and above
- Starting from 6.0 SZ web UI was changed so look and feel is different, AP Certificate Replacement page now located under Administration >> Certificates >> AP Certificate Replacement. Rest of the process is same as 3.4.x and 3.5.x.
For ZoneDirector managed APs
9.13.x
- Login to ZD Web UI and go to Configure >> Certificate >> Advanced Options >> Import RUCKUS PKI Certificate Package
- To generate RUCKUS PKI certificate request, please input the valid number of APs whose certificate should be updated and click on "click here" link. (Range: 0~100, 0 means ALL)
- Step two will generate and download a '.req' file "<ZD_DEVICE_NAME>_rpki_cert_request.req".
- Open a case with Support with the .req file and they will provide you the .res file.
- Once you get the .res file, upload it to ZD by clocking on "Choose File" button and ZD will process the file and apply the certificate to the AP(s).
10.x
- Process is same as 9.13.x, only web UI look and feel is different.
Note: Ignore the Strikethrough text in the above screenshot, it is no longer applicable.
For standalone APs
- Login to AP web UI and go to Administration >> Management >> Certificate Verification >> Click on "Request to reissue a new certificate". This will download a request file (.req).
- Contact RUCKUS support with the request file and Support will provide you the resolution(.res) file.
- Now go to Maintenance >> Upgrade >> Select "Local" >> Device Certificate >> Choose the file (.res file which you have received from Support) >> Upload the certificate.
Article Number:
000005309
Updated:
April 17, 2023 02:27 PM (about 1 year ago)
Tags:
Firmware, Security, Known Issues and Workarounds, ZoneDirector, ZoneFlex Indoor, ZoneFlex Outdoor, FlexMaster UMM, SmartCell AP, Ruckus Support Services, SZ100
Votes:
3
This article is:
helpful
not helpful